Security Blog Log: Taking Google Code Search for a spin

In its official blog, the search giant touts Google Code Search as giving responsible programmers a single place to search publicly accessible source code.

"Our view is what's good for the Web is good for Google -- we want users to have the best online experience possible, and we hope [tools like Google Code Search] will help developers create compelling applications for their users," Google Senior Product Manager Bret Taylor wrote.

Google alone has been a resource for hackers who have used the main search engine to pinpoint Web sites that might be ripe for attack. Google Code Search simplifies the process by letting users search for regular expressions, exact strings and restrict their searches to code written in specific programming languages. As Fisher wrote, the tool searches all of the publicly available source code it can find, which includes not just open-source code intentionally made available to the public, but also any code in a Concurrent Versions System (CVS) repository or other form that a developer happens to leave on a public server.

About Security Blog Log:

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

But many bloggers viewed the arrival of Google Code Search more positively. Some see it as a genuinely useful tool for finding flaws or writing more ironclad code. For others, it's simply a new toy for finding dirty words and famous names within lines of code.

Information security specialist Nitesh Dhanjani wrote in the OnLamp.com blog that thanks to Google Code Search, it's now easier to scan publicly available source code for potential security issues.

He noted that the idea is to query Google Code Search using techniques previously reserved for local static code analysis, a process he said has drawbacks -- a high rate of false positives and an inability to detect logic errors that may lead to security bugs, for example. But on balance, he added, "static code analysis tools can be used to perform a quick first pass on the source code to detect bugs."

Security luminary Bruce Schneier made mention of the tool in his blog, noting how people could use it to "find usernames and passwords, confidential code, buffer overflows, and all sorts of other things."

While many security pros would see that as bad news, one respondent to Schneier's blog said this cloud has a potential silver lining, saying, "Essentially, this will force a massive audit of existing Internet code." Another respondent to Schneier's blog wrote that the tool is "a positive thing for everyone" because more eyes on the code means better security in the long run.

The "Security to the Core," blog kept by Lexington, Mass.-based Arbor Networks included a positive assessment of Google Code Search from "long-time Arbor hacker" Aaron Campbell.

After 27 years, he wrote, "you'd think static code analysis would be dead. But nothing could be further from the truth. This much I've proven to myself … after toying with Google's newest gift to the world."

Campbell noted that Google Code Search isn't exactly a new concept. For example, he said, the Koders search engine launched last year and claims to have a database with 225,816,744 lines of searchable open source code.

But, he said, Google has "seriously one-upped the competition by providing regular expression matching." Not a hacked-up, watered down subset of regexp, he said, but "full POSIX extended regular expression syntax, as well as select Perl extensions."

Campbell admitted that he threw a "naughty" word into his first search. "Much to my amusement, the first page of results contained colorful language not only in code comments, but also variable and function names," he said. "Potty mouths, the whole lot of us."

Another blogger, Dan Century, used Google Code Search to hunt down famous names residing in code. In his blog, he offered a list his findings:

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

It can be tempting to stray from the security roadmap security professionals have put in place when data breaches like the Sony and Anthem breaches are all over the news. But experts say it's crucial to stick to the security basics.

The Open Data Platform has arrived, but not all Hadoop vendors are on board. The initiative, aimed at boosting interoperability, formed a backdrop for discussion at the Strata + Hadoop World 2015 conference.